END USER AGREEMENT

This End User Agreement (this "Agreement") is entered into as of the date of the last signature below (the "Effective Date") by and between The Punt Group, LLC d/b/a iSoftpull, a California limited liability company ("iSoftpull") and [Company] ("End User").

RECITALS

WHEREAS, iSoftpull is an authorized reseller of consumer credit report and credit score information for loan pre-qualification purposes, as well as other products and services of related thereto;

WHEREAS, iSoftpull's proprietary software solution delivers, among other things, soft credit inquiry and credit prequalification services to End Users.

WHEREAS, End User desires to purchase from iSoftpull certain products and services subject to the terms and conditions set forth herein (such products and services, the "Credit Reporting Solution").

NOW, THEREFORE, in consideration of the premises and the respective mutual agreements, covenants, representations and warranties contained in this Agreement, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:

1. Credit Reporting Solution

End User hereby engages iSoftpull to provide End User access to the Credit Reporting Solution.

2. End User Application and Certification

Prior to providing any services under this Agreement, End User must undergo iSoftpull's on-boarding and certification process, which consists of a screening and compliance review designed to ensure that End User satisfies iSoftpull's stringent compliance and security requirements and has a permissible purpose to access consumer credit data. Additionally, we will need to gather basic identification information from End User to be entered into our system and the systems of our various providers.

3. Fees

End User hereby agrees to pay all fees set forth in the attached Fee Addendum, within the timeframe(s) set forth on such Fee Addendum.

4. Term and Termination

a. Term. Subject to earlier termination as provided herein, this Agreement is for an initial term of one (1) year following the Effective Date and shall be automatically renewed for additional successive one (1) year terms (collectively, the "Term"), unless either party requests termination by providing at least thirty (30) days prior notice to the other party. iSoftpull shall have the right to terminate this Agreement immediately upon notice to End User if End User violates its obligations under this Agreement, otherwise violates applicable law or knowingly or unknowingly causes iSoftpull to be in violation of any of its agreements with its vendors or suppliers.

b. Effect of Termination. Upon termination of this Agreement, End User will immediately lose access to the discounted pricing and Incentive Rebates described herein for its use of the Platform. In addition, if this Agreement is terminated by iSoftpull, End User shall promptly pay to iSoftpull any amounts outstanding hereunder. Additionally, upon termination iSoftpull may, inter alia, immediately revoke End User's privileges with respect to the Credit Reporting Solution and any other products or platforms related thereto or take any lesser action as iSoftpull may deem advisable in its sole discretion.

5. Consumer Disputes/Inquiries

End User will establish reasonably strict procedures, consistent with industry standards, so that End User's employees refer to iSoftpull all requests for disclosure from the subject of any information received thereby from the Credit Reporting Solution, except that End User may disclose consumer report information to subject consumers, pursuant to the FCRA and as otherwise limited by applicable law, who have been denied a benefit based on information contained in the consumer report. In those disclosures to consumers, End User may disclose only the information disclosed thereto. End User may not access any information derived from the Credit Reporting Solution for purposes of disclosure to consumers who wish disclosure for "curiosity" reasons only and may not handle consumer disputes related to any information derived from the Credit Reporting Solution, except as required by law or otherwise expressly permitted pursuant to a written agreement with iSoftpull. Consumer requests for disclosure based on curiosity, and all consumer disputes, will be referred to iSoftpull for handling.

6. Data Handling

End User will, with respect to handling all information derived from or related to the Credit Reporting Solution (the "Consumer Credit Information"):

• a. ensure that only authorized users can order or have access to the Consumer Credit Information;
• b. ensure that authorized users do not order consumer reports for personal reasons or provide them to any third party except as permitted by this Agreement;
• c. inform authorized users that unauthorized access to consumer reports may subject them to civil and criminal liability under the FCRA punishable by fines and imprisonment;
• d. ensure that all devices used by End User to order or access the Credit Reporting Solution or Consumer Credit Information are placed in a secure location and accessible only by authorized users, and that such devices are secured when not in use, through such means as screen locks, shutting power controls off, or other commercially reasonable security procedures;
• e. take all necessary measures to prevent unauthorized ordering of or access to the Consumer Credit Information by any person other than an authorized user for permissible purposes, including, without limitation, limiting the knowledge of the End User security codes, member numbers, User IDs, and any passwords End User may use (collectively, "Security Information"), to those individuals with a need to know. In addition, the User IDs must be unique to each person, and the sharing of User IDs or passwords must be expressly prohibited;
• f. adhere to all security features in the software and hardware End User uses to order or access the Consumer Credit Information including the use of IP restriction;
• g. implement secure authentication practices when providing User ID and passwords to authorized users, including but not limited to using individually assigned email addresses and not shared email accounts;
• h. in no event access the Consumer Credit Information via any unregistered hand-held wireless communication device that has not gone through End User's device enrollment, access, and authentication process. Such process shall be reviewed and approved by iSoftpull prior to allowing access to Consumer Credit Information via any hand-held communication device;
• i. not use non-company owned assets such as personal computer hard drives or portable and/or removable data storage equipment or media (including but not limited to laptops, zip drives, tapes, disks, CDs and DVDs) to store the Consumer Credit Information;
• j. encrypt all Consumer Credit Information when it is not in use and, with respect to all printed Consumer Credit Information, store in a secure, locked container when not in use and completely destroy such Consumer Credit Information when no longer needed by cross-cut shredding machines (or other equally effective destruction method) such that the results are not readable or useable for any purpose;
• k. if End User sends, transfers or ships any Consumer Credit Information, encrypt the Consumer Credit Information using minimum standards of Advanced Encryption Standard (AES), minimum 128-bit key, encrypted algorithms, which standards may be modified from time to time by iSoftpull;
• l. not ship hardware or software between End User's locations or to third parties without deleting all Security Information and any consumer information;
• m. monitor compliance with the obligations of this Section 6, and immediately notify iSoftpull if End User suspects or knows of any unauthorized access or attempt to access the Consumer Credit Information, including, without limitation, a review of each iSoftpull invoice for the purpose of detecting any unauthorized activity;
• n. if End User uses a service provider to establish access to the Consumer Credit Information, be responsible for the service provider's use of Security Information, and ensure the service provider safeguards such Security Information through the use of security requirements that are no less stringent than those applicable to End User under this Section 6;
• o. use commercially reasonable efforts to assure data security when disposing of any consumer report information or record obtained from iSoftpull or the Credit Reporting Solution. Such efforts must include the use of those procedures issued by the federal regulatory agency charged with oversight of End User's activities (e.g., the Federal Trade Commission, the applicable banking or credit union regulator) applicable to the disposal of consumer report information or records;
• p. provide prompt notification to iSoftpull of any change in address or office location and are subject to an onsite visit of the new location by iSoftpull or its designated representative; and
• q. in the event End User has a security incident involving Consumer Credit Information, End User will fully cooperate with iSoftpull in a security assessment process and promptly remediate any finding. For purposes of this Section, "security incident" means any actual breach, theft or unauthorized access, use, misuse, theft, vandalism, modification or transfer of Consumer Credit Information. "Authorized person(s)" means an employee of End User that has been authorized to order or access the Consumer Credit Information and who is trained on End User's obligations under this Agreement.

7. Miscellaneous

a. Amendment. This Agreement may not be amended or modified other than in a written instrument executed by both parties hereto.

b. Assignment. End User may not assign, delegate, or otherwise transfer its rights and obligations under this Agreement without the prior written consent of iSoftpull. Upon notice to End User, iSoftpull may assign, delegate, or transfer its rights and obligations under this Agreement.

c. Notices. All notices and other communications required or permitted hereunder shall be in writing and shall be mailed by registered or certified mail, postage prepaid, sent by electronic mail or otherwise delivered by hand or by messenger addressed to the relevant party's address listed on the signature page hereto or otherwise updated by notice to the other party.

d. Governing Law. The validity of this agreement, the construction, interpretation, and enforcement hereof, the rights of the parties hereto with respect to all matters arising hereunder or related hereto, and any claims, controversies or disputes arising hereunder or related hereto shall be determined under, governed by, and construed in accordance with the laws of the state of California, without regard to conflict of laws principles. The parties further acknowledge that this Agreement evidences a transaction involving interstate commerce. Notwithstanding the provision in the preceding paragraph with respect to applicable substantive law, any arbitration conducted pursuant to the terms of this Agreement shall be governed by the Federal Arbitration Act (9 U.S.C. §§ 1-16).

e. Release and Waiver. End User recognizes that the accuracy or completeness of any information furnished by iSoftpull via the Credit Reporting Solution or otherwise is not guaranteed by iSoftpull, and End User releases iSoftpull and its directors, officers, employees, agents, affiliated agencies, independent contractors, successors and assigns (the "iSoftpull Entities") from liability for any acts or omissions in connection with the Credit Reporting Solution or the information provided pursuant thereto and from any loss or expense suffered by End User resulting directly or indirectly from End User's relationship with iSoftpull, except to the extent such loss or expense results directly from the gross negligence or willful misconduct of any iSoftpull Entities. End User, on its own and on behalf of its customers/subscribers, covenants not to sue or maintain any claim, cause of action, demand, cross-action, counterclaim, third-party action or other form of pleading against iSoftpull or iSoftpull Entities arising out of or relating in any way to the currency, accuracy or inaccuracy, validity or nonvalidity, or completeness of any of the information provided through or pursuant to the Credit Reporting Solution.

f. DISCLAIMER OF WARRANTIES. ISOFTPULL MAKES NO REPRESENTATIONS, WARRANTIES OR GUARANTEES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, RESPECTING THE CREDIT REPORTING SOLUTION OR ANY OTHER INFORMATION SERVICES, MACHINERY, EQUIPMENT, MATERIALS, PROGRAMMING AIDS OR OTHER ITEMS UTILIZED BY ISOFTPULL IN CONNECTION WITH OR RELATED TO, OR RESPECTING THE CURRENCY, ACCURACY OR COMPLETENESS OF, ANY INFORMATION FURNISHED BY ISOFTPULL TO END USER OR TO ANY SUBSCRIBERS OR CUSTOMERS OF END USER.

g. Dispute Resolution. Any controversy or claim between the parties to this Agreement, including the determination of the scope or applicability of this agreement to arbitrate, shall be determined by arbitration in San Diego, California before one arbitrator. The arbitration shall be administered by JAMS pursuant to its Comprehensive Arbitration Rules and Procedures. Judgment on the Award may be entered in any court having jurisdiction. This clause shall not preclude parties from seeking provisional remedies in aid of arbitration from a court of appropriate jurisdiction. The arbitrator shall award to the prevailing party, if any, the costs, attorneys' fees, and expert witness fees reasonably incurred by the prevailing party in connection with the arbitration.

h. Indemnification and Limitation of Liability. End User will indemnify and hold harmless iSoftpull and the iSoftpull Entities from and against any and all liabilities, claims, losses, demands, actions, causes of action, damages, expenses (including, without limitation, attorneys' fees and costs of litigation), or liability, arising from or in any manner related to any allegation, claim, demand or suit, whether or not meritorious, brought or asserted by any third party arising out of or resulting from any actual or alleged negligence or intentional misconduct of End User, whether or not any negligence of iSoftpull or the iSoftpull Entities is alleged to have been contributory thereto, the failure of End User to duly and fully perform its obligations under this Agreement, the failure of End User to insure the reliable and accurate delivery of information related to or produced by the Credit Reporting Solution, misuse or improper access to such information by End User or its subscribers or customers, or the failure of End User to comply with applicable laws or regulations.

i. Auditing. End User agrees to cooperate with any reasonable audit by iSoftpull and/or a vendor of iSoftpull to assure compliance with the terms of the Agreement. End User acknowledges that any failure to cooperate with a reasonable request regarding an audit constitutes grounds for immediate termination of the Agreement.

j. Confidentiality. End User acknowledges that iSoftpull is the owner of the Credit Reporting Solution and of all interests, programs, codes, software, software documentation or other appurtenances related to it and derived from it. End User further acknowledges that the Credit Reporting Solution and any codes, procedures or system documentation are confidential and proprietary to iSoftpull. iSoftpull does not convey or transfer, nor does End User obtain any right or interest in, any of the programs, systems, data, material, or credit information utilized or provided by iSoftpull in the performance of this Agreement. During the Term and thereafter, End User will maintain, and End User will cause its directors, officers, employees and agents to maintain, in strict confidence and not to disclose to any other person or entity any information, materials and know-how as may be provided to End User by iSoftpull during the Term and to take any actions necessary to protect against disclosure thereof. Upon the termination of this Agreement, End User will immediately (i) return to iSoftpull or (ii) destroy all copies and partial copies of manuals, materials and documents pertaining to iSoftpull or the Credit Reporting Solution. Neither End User nor any of its customers or subscribers shall reverse engineer the Credit Reporting Solution.

k. Compliance with Laws. End User will comply with applicable federal and state laws, rules and regulations relating to End User's performance of its obligations under this Agreement including, but not limited to, all applicable consumer financial protection laws. In addition, End User shall not engage in any unfair, deceptive, or abusive acts or practices.

l. Relationship of the Parties. The relationship of the parties established by this Agreement is solely that of independent contractors. Neither party is the representative or agent of the other for any purpose and neither has power or authority to act as agent for or to represent, act for, bind, or otherwise create or assume any obligation on behalf of the other.

m. Severability. In the event any provision of this Agreement is found to be illegal or unenforceable under applicable law, by a court having jurisdiction, such provision shall be unenforceable only to the extent necessary to make it enforceable without invalidating any of the remaining provisions of this Agreement.

n. No Third Party Beneficiaries. iSoftpull and End User acknowledge and intend that this Agreement is for the sole benefit of the parties hereto and their respective permitted successors and assigns, and nothing herein, express or implied, is intended to or shall confer upon any other person or entity any legal or equitable right, benefit or remedy of any nature whatsoever under or by reason of this Agreement.

o. Entire Agreement. This Agreement, together with all exhibits and addenda, constitutes the entire agreement of the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous negotiations, agreements, representations, warranties and understandings of the parties with respect thereto.

p. Counterparts. This Agreement may be executed in counterparts, each of which shall be deemed an original, and all of which together shall be deemed to be one and the same agreement. A signed copy of this Agreement delivered by electronic transmission shall be deemed to have the same legal effect as delivery of an original signed copy.

q. Waiver. No delay or omission by either party to exercise any right or power it has under this Agreement shall impair or be construed as a waiver of such right or power. A waiver by either party of any covenant or breach shall not be construed to be a waiver of any succeeding breach or of any other covenant. All waivers must be in writing and signed by the party waiving its rights.

IN WITNESS WHEREOF, each of iSoftpull and End User has caused its duly authorized representative to execute this Agreement as of the date of the last signature below.

End User: [Company]

FEE SCHEDULE

Software plans include full customer support (phone, email, chat), iSoftpull user licenses, all credit bureau codes available, FICO® Score or Vantage® Score access, Credit Intelligence, Credit Webform, and Zapier integration. Plan pricing and per-report rates as set forth in the Fee Addendum executed concurrently herewith.

Billing: iSoftpull automatically bills in the first week of each calendar month for the previous month's transactions and software services. Prices are exclusive of state and local taxes, as well as Colorado surcharges of $0.75 per transaction and Puerto Rico/Virgin Islands surcharges of $2.50 per transaction. Preferred payment method is ACH (no additional fee). Credit card payments subject to a 3% merchant processing fee. A one-time late payment fee of $25 will be added to subsequent invoices for each unpaid invoice overdue more than one billing cycle. Non-mortgage credit reports have an additional $0.15 FACTA surcharge; mortgage credit reports have a $0.24 FACTA surcharge per report. A $75 charge will be applied for on-site inspections not completed due to the fault of End User.

[Company] agrees to all terms of the End User Agreement and Fee Schedule above by executing this agreement below.

End User Certifications for PreQualification

The Punt Group, LLC d/b/a iSoftpull requires that all End Users wanting to access consumer credit reports for PreQualification purposes to make the following certifications prior to the End User being granted access to iSoftpull's PreQualification software platform:

Please initial next to each certification and sign below:

EXHIBIT A — Additional End User Terms and Conditions

This Exhibit is an Addendum to the End User Agreement between The Punt Group, LLC d/b/a iSoftpull ("iSoftpull") and [Company] ("End User"). It is intended to provide supplemental terms and conditions pertaining to the services provided by iSoftpull.

1. End User is being provided certain credit information from one or more of the credit bureaus that iSoftpull contracts with (Equifax Information Services LLC, TransUnion LLC and Experian Information Solutions, Inc.) in connection with the delivery of a consumer report.

2. Certifications and Permissible Purpose. End User acknowledges that the credit information from the credit bureaus is being provided based upon End User's certifications, including but not limited to End User certifying that it has and at all times will have a "permissible purpose" under the FCRA and all state law counterparts to access consumer credit reports from iSoftpull and that it will do so for the exclusive purpose of PreQualification (i.e., to determine if the consumer meets the credit criteria and/or credit terms of credit offers for which the consumer may be qualified), and for no other purpose, and that End User will not engage in any unfair, deceptive, or abusive acts or practices. End User acknowledges and agrees PreQualification services obtained from iSoftpull shall be used on a per session basis, provided, however, that End User shall have the right, for a period of up to thirty (30) days after procuring PreQualification services, to remind a consumer via email that credit options continue to be available for such consumer, provided that the content of such email specifically excludes any details on the credit options and does not contain any credit information obtained from the credit bureaus. Additionally, End User's use of PreQualification services that include credit information obtained from Experian are further subject to the instructions and requirements set forth in Exhibit 1-A ("Experian PreQualification Services").

3. TransUnion Scores. End User acknowledges and agrees that any TransUnion Score(s), which shall include the VantageScore, received are for the purpose of evaluating assets or investments (e.g., securities) containing or based on obligations of the consumers to which the TransUnion Scores apply (e.g., mortgages, student loans, auto loans, credit cards), provided that (a) Subscriber may disclose TransUnion Scores only in aggregated formats (e.g., averages and comparative groupings) that do not reveal individual TransUnion Scores, (b) Subscriber shall not provide any information that would enable a recipient to identify the individuals to whom the TransUnion Scores apply. End Users who utilize Fair ISAAC ("FICO") Scores obtained from TransUnion through iSoftpull further certify that they are subject to the additional terms and conditions set forth in Exhibit 1-B ("Minimum End User Terms and Conditions for Fair ISAAC Scores").

4. Resale Prohibited. End User acknowledges and agrees that it may not further resell any credit information from the credit bureaus obtained through iSoftpull.

5. Data Security/Safeguards. End User certifies that they shall implement and maintain a comprehensive information security program written in one or more readily accessible parts and that contains administrative, technical, and physical safeguards that are appropriate to the client's size and complexity, the nature and scope of its activities, and the sensitivity of the information provided to the client by the Reseller. End User further certifies that such safeguards shall include the elements set forth in 16 C.F.R. § 314.4 and shall be reasonably designed to: ensure the security and confidentiality of the information provided by reseller; protect against any anticipated threats or hazards to the security or integrity of such information, and protect against unauthorized access to or use of such information that could result in substantial harm or incontinence to any consumer. Such safeguards, shall include, at a minimum, the requirements contained in Exhibit 1-C ("Data Security Requirements"). End User further agrees that they are bound by the obligations of confidentiality set forth in Exhibit 1-D ("Confidential Treatment of Experian Proprietary Information").

6. TransUnion Codes and Passwords. End User acknowledges and agrees that: (i) all TransUnion-supplied identification codes (each a "User ID") and associated passwords (each a "Password") shall be kept confidential and secure (e.g., End User shall ensure that Passwords are not stored on any desktop and/or portable workstation/terminal nor other storage and retrieval system and/or media, that Internet browser caching functionality is not used to store Passwords and that appropriate firewalls or other electronic barriers are in place); and, (ii) each User ID and Password shall be used solely by individuals End User has authorized to use such User IDs and Passwords. In the event of any unauthorized use, misappropriation or other compromise of User IDs and/or Passwords, End User shall promptly (but in no event later than twenty-four (24) hours after the occurrence of any of the foregoing) notify iSoftpull by phone and in writing.

7. Experian Codes. End User acknowledges and agrees that with respect to any data and information received from Experian through iSoftpull ("Services"), End User will not (i) change, modify, add code or otherwise alter the Services in any manner, (ii) reverse engineer, disassemble, decompile, in any way attempt to derive the source code of, or translate the Services, or (iii) use, transform, modify, or adapt the Services for use for any other purpose, including but not limited to use to assist in the development or functioning of any product or service that is competitive, in part or in whole, with any existing or reasonably anticipated product or service of Experian.

8. Notice to Users of Consumer Reports: Obligations of Users Under The FCRA. End User acknowledges its receipt of the Notice to Users of Consumer Reports: Obligations of Users Under The FCRA, which is set forth in Exhibit 1-E.

9. California Retail Seller Certification. If Subscriber is a retailer who uses Consumer Report Information in connection with in-person credit applications, subject to the California Consumer Credit Reporting Agencies Act and all amendments thereto (Cal. Civ. Code § 1785.14 et al.), then Subscriber shall instruct its employees responsible for receiving in-person credit applications from California consumers, including point of sale applications, to inspect the applicant's photo identification prior to requesting Consumer Report Information. End User shall identify to iSoftpull when a qualifying in-person credit application is requested so that the transaction can be properly coded with the applicable credit bureau(s).

10. Vermont Certification. Subscriber agrees to comply with Vermont law when requesting a consumer report on a Vermont resident. Subscriber expressly agrees to obtain the consumer's consent before requesting a consumer report to the extent and in the manner required by Vermont law (see Vermont Fair Credit Reporting Act ("VFCRA"), 9 V.S.A. § 2480e and applicable rules). End User further certifies that the attached Exhibit 1-F including copies of Section 2480e of VFCRA and corresponding Rule, was received from iSoftpull.

11. Death Master File. Data provided by iSoftpull through the credit bureaus may include information obtained from the Death Master File ("DMF") made available by the Social Security Administration/US Department of Commerce National Technical Information Service and subject to regulations found at 15 CFR Part 1110 et al. and the Bipartisan Budget Act of 2013. End User shall comply with all applicable laws, and certifies that pursuant to Section 2-3 of the Bipartisan Budget Act of 2013 and 15 C.F.R. § 1110.102, the End User's use of deceased flags or other indicia within credit information is restricted to legitimate fraud prevention or business purposes in compliance with applicable law, rules, and regulations, or fiduciary duty, as such business purposes are interpreted under 15 C.F.R. § 1110.102(a)(1). Additionally, End User will not take any adverse action against any consumer without further investigation to verify information from deceased flags or other indicia within the relevant credit information. Recipients of DMF data that fail to comply with 15 CFR Part 1110 may be subject to, among other things, penalties under 15 CFR 1110.200 of $1,000 for each disclosure or use, up to a maximum of $250,000 in penalties per calendar year.

12. Public Dissemination. End User acknowledges and agrees that it is prohibited from publicly disseminating any results of the validations and/or other reports derived from the credit information obtained from the credit bureaus iSoftpull contracts with without prior written consent.

13. Use of Trademarks. End User will not use, or permit their respective employees, agents and subcontractors to use, the trademarks, service marks, logos, names or any other proprietary designations of credit bureaus whether registered or unregistered, without prior written consent from the credit bureaus and iSoftpull.

14. Compliance With Laws. End User shall be responsible for its own compliance with all applicable federal and state legislation, regulations and judicial actions, including, but not limited to, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, Title V, Subtitle A, Financial Privacy (15 U.S.C. § 6801-6809) and all other applicable privacy laws, "do not call" laws, the Drivers Privacy Protection Act (18 U.S.C. Section 2721 et seq.) and similar and/or associated state laws and regulations governing the use and disclosure of drivers' license information, as now or as may become effective, to which it is subject. End User acknowledges and agrees that as between the credit bureaus and iSoftpull, iSoftpull shall be liable for any failure by End User to comply with all applicable laws, notwithstanding any potential indemnification obligations on the part of End User as to iSoftpull.

[Company] acknowledges and agrees to all Additional Terms and Conditions in Exhibit A above by executing this agreement below.

EXHIBIT 1-A — Experian PreQualification Services

This exhibit provides processes and additional terms that apply when the End User is using "written instructions" of the consumer as its permissible purpose under the FCRA for accessing consumer credit information of such consumer for the purpose of making pre-qualified offers of credit to the consumer to whom the report relates (the "Prequalification Services"). When accessing a consumer report in connection with the PreQualification Services, End User (or Third Party, as appropriate):

• (1) shall not provide the credit report (in whole or in part), a score, a decision, or any other information or decision derived from the PreQualification Services to the consumer or to any third party. Notwithstanding the foregoing, End User or Third Party may provide a consumer with End User's pre-qualification decision.
• (2) may return to consumer, credit options obtained by End User through the PreQualification Services, and may forward consumer-provided information to a third party to whom the credit option relates, but only if consumer provides subsequent consent to do so following receipt of such credit options.
• (3) shall not make any credit decision, nor provide FCRA regulated prescreen services, on behalf of a third party.
• (4) shall not post "ID stripped" credit profiles on its web site for bid by a third party.
• (5) may only provide consumer referrals to third parties that have their own permissible purpose as defined in Section 604 of the FCRA, and only as directed by the consumer to whom the credit report relates.
• (6) shall not operate as the agent of any third party, unless otherwise authorized by Experian.
• (7) shall not (a) operate as a reseller of Pre-Qualification Services or (b) directly or indirectly charge a consumer any costs or fees, or accept any other payment or valuable consideration from a consumer, for pre-qualification or any information derived therefrom ("Consumer Credit Information"), including, without limitation, by offering the PreQualification Service or Consumer Credit Information as the sole additional feature of a higher-priced service offering or as an incentive to or bundled with a fee-based offering.
• (8) shall use the PreQualification Services for a single credit transaction as provided for in the consumer's written instructions and shall not use the PreQualification Services for any other purpose including but not limited to targeting consumers for offers, such as for credit cards, charge cards, or loans.
• (9) shall not use, or permit their respective employees, agents and subcontractors to use, the trademarks, service marks, logos, names or any other proprietary designations of Experian, whether registered or unregistered, without prior written consent from Experian.
• (10) shall not: (a) advertise, represent, claim or infer that it can (i) remove accurate but negative information from the consumer's credit report or (ii) help the consumer restore a credit report or improve or enhance the consumer's credit score, record, history or rating; and (b) shall avoid the following terms: clear your credit, fix your credit, advice on correcting your credit, clean up your credit, repair your credit, guidance on how to correct your credit report, help to improve your score, etc.

EXHIBIT 1-B — Minimum End User Terms and Conditions for Fair ISAAC Scores, Archive Scores and VantageScores

This Exhibit governs the use by End User of credit risk scores or insurance risk scores, and associated reason codes of Fair Isaac Corporation ("Fair Isaac") ("FICO Scores"), Archive Scores and VantageScores that End User receives from Experian, Equifax and/or TransUnion.

1. General Provisions. The terms below govern the use by End User of (i) numeric credit risk scores or insurance risk scores, and associated reason codes of Fair Isaac Corporation ("FICO Scores"), (ii) FICO Scores that are scored utilizing archived, depersonalized, consumer report information from a prior processing month and delivered to iSoftpull for End Users' uses without adverse action codes, reason codes or consumer identifying information ("Archive Scores"); and (iii) VantageScores delivered to iSoftpull for End Users' uses.

FICO Score Uses. End User agrees that it shall use each such FICO Score only once and only in accordance with the permissible purpose under the Fair Credit Reporting Act ("FCRA") for which End User obtained the FICO Score.

VantageScores Uses. End User agrees that VantageScores will be requested only for its exclusive use. The VantageScores may be stored solely for use in furtherance of original purpose for obtaining the VantageScores and VantageScores shall not be used for model development or model calibration except in compliance with the specified conditions.

4. Intellectual Property. End User acknowledges that: (i) the FICO Scores, Archive Scores and VantageScores are proprietary; (ii) nothing herein shall alter intellectual property rights of Fair Isaac Corporation, Experian, Equifax and/or TransUnion; and (iii) Fair Isaac shall retain all its intellectual property rights in the Models used by Experian, Equifax and/or TransUnion to generate the FICO Scores, Archive Scores or VantageScores.

5. Compliance with Law. End User agrees that it will only use each FICO score for a permissible purpose under the FCRA, and that its use of the FICO Scores, Archive Scores and VantageScores must comply at all times with applicable federal, state and local law and regulations.

6. Confidentiality. End User agrees that it shall not disclose the FICO Scores, Archive Scores, nor the results of any validations or other reports derived from the FICO Scores and/or Archive Scores, to any third party (other than a consumer as expressly provided for herein) unless (i) such disclosure is clearly required by law, (ii) Fair Isaac provides written consent in advance of such disclosure, and/or (iii) such disclosure is to a designated third party processor or agent. End User shall not disclose a FICO Score to the consumer to which it pertains unless such disclosure is (i) approved in writing by Fair Isaac or (ii) required by law or is in connection with an adverse action and then only when accompanied by the corresponding reason codes.

7. VantageScores Specific Confidentiality. All VantageScores provided hereunder will be held in strict confidence and may never be sold, licensed, copied, reused, disclosed, reproduced, revealed or made accessible, in whole or in part, to any person or entity, except as specifically permitted herein. End User further agrees that the trademarks, trade names, product names, brands, logos, and service marks ("Marks") for VantageScore credit scores and credit scoring models will remain the sole property of VantageScore Solutions, LLC.

11. Third Party Beneficiary. End User agrees that: (a) Fair Isaac is a third party beneficiary hereunder with respect to Fair Isaac intellectual property (including without limitation the Models) and with fully enforceable rights; and (b) Fair Isaac's rights with respect to the Fair Isaac intellectual property, and all works derived therefrom are unconditional rights that shall survive the termination for any reason.

12. Audit. Upon prior written notice, Experian, Equifax and/or TransUnion and Fair Isaac shall have the right to audit End User to verify End User's compliance with this Agreement. End User shall accommodate such audit.

EXHIBIT 1-C — Data Security Requirements

The following measures are designed to reduce unauthorized access of consumer reports and consumer information. End User agrees to implement and maintain the following safeguards:

1. Ensure that only "Authorized Users" (employees with authority to order or access credit information and who are trained on End User's obligations under this Agreement) can order or have access to consumer credit information. End User shall require all Authorized Users to participate in information security training and awareness sessions at least annually and establish proof of learning for all personnel.
2. Inform Authorized Users that unauthorized access to consumer reports, including but not limited to ordering consumer reports for personal reasons or providing them to any third party except as permitted by this Agreement, may subject them to civil and criminal liability under the FCRA punishable by fines and imprisonment.
3. Ensure that all devices used by Authorized Users to order or access credit information are placed in a secure location and accessible only by Authorized Users, and that such devices are secured when not in use, through such means as screen locks, shutting power controls off, or other commercially reasonable security procedures. In no event shall credit information be accessed via any unregistered hand-held wireless communication devices that have not gone through device enrollment, access and authentication process.
4. Take all necessary measures to prevent unauthorized ordering of or access to the credit information by any person other than an Authorized User for permissible purposes, including, without limitation, limiting the knowledge of relevant security codes, member numbers, User IDs, and any applicable passwords to those individuals with a need to know. In addition, the User IDs must be unique to each person, and the sharing of User IDs or passwords is prohibited.
5. Develop strong passwords that are (i) not easily guessable, (ii) contain a minimum of eight alphabetic and numeric characters for standard user accounts and (iii) ensure that passwords are changed periodically (at least every 90 days). Accounts will automatically lockout after five (5) consecutive failed login attempts.
6. Passwords must be changed immediately when (i) any system access software is replaced by another system access software or is no longer used, and/or (ii) any suspicion of password being disclosed to an unauthorized party. Additionally, at least quarterly entitlement reviews must be performed to recertify and validate Authorized User's access privileges.
7. Protect Authorized User passwords and transmission of credit information through use of encryption (minimum AES 128 but recommended 256 or above).
8. Utilize password protected screensavers with a maximum 15-minute timeout to protect unattended workstations. Systems should be manually locked before being left unattended. Active logins to credit information systems must be configured with a 30-minute inactive session timeout.
9. Implement a process to terminate access rights immediately for users who access credit information when those users are terminated or have a change in their job tasks and no longer require access to credit information.
10. Adhere to all security features in the software and hardware used to order or access credit information, including the use of IP restriction. Applicable hardware and software shall not be shipped between locations or to third parties without deleting all credit/consumer information.
11. Implement secure authentication practices when providing User ID and passwords to Authorized Users, including but not limited to using individually assigned email addresses and not shared email accounts.
12. Ensure that no non-company owned assets, such as personal computer hard drives or portable and/or removable data storage equipment or media (including but not limited to laptops, zip drives, tapes, disks, CDs and DVDs), are used to store credit information.
13. Notify iSoftpull of any suspected or known unauthorized access or attempted access of credit information so that iSoftpull can notify relevant credit bureaus of same. In the event there is a "security incident" (defined as an actual breach, theft or unauthorized access, use, misuse, theft, vandalism, modification or transfer involving credit information), fully cooperate with iSoftpull and/or credit bureaus in a security assessment process and promptly remediate any finding.
14. Use commercially reasonable efforts to assure data security when disposing of any consumer report information or record obtained from credit bureaus. Such efforts must include the use of those procedures issued by the federal regulatory agency charged with oversight of CRA's activities (e.g., the Federal Trade Commission, the applicable banking or credit union regulator) applicable to the disposal of consumer report information or records.
15. Use commercially reasonable efforts to secure credit information when stored on servers; servers storing credit information must be separated from the Internet or other public networks by firewalls; protect credit information through multiple layers of network security; all servers must be kept current and patched on a timely basis with appropriate security-specific system patches. End User will perform regular penetration tests to further assess the security of systems and resources.
16. Not allow credit information to be displayed via the Internet unless utilizing, at a minimum, a three-tier architecture configured in accordance with industry best practices.
17. Use commercially reasonable efforts to establish procedures and logging mechanisms for systems and networks that will allow tracking and analysis in the event there is a compromise, and maintain an audit trail history for at least three (3) months for review by iSoftpull and/or credit bureaus.
18. Provide prompt notification to iSoftpull of any change in address or office location and are subject to an onsite visit of the new location by iSoftpull and/or credit bureaus/designated representative.

EXHIBIT 1-D — Confidential Treatment of Experian Proprietary Information

All Services and all information provided in connection therewith (including without limitation all personal information about individual Consumers), all data in Experian's databases, improvements, technologies, inventions, developments, ideas, and discoveries associated therewith, and any other data and intellectual property that are part of, are related to or facilitate the Services (including without limitation the trademarks, service marks, logos, names or any other proprietary designations of any member of the Experian Group, whether registered or unregistered, and the terms of this Agreement) (collectively, the "Experian Proprietary Information") are and shall continue to be Experian's exclusive property. Nothing contained herein shall or shall be deemed to convey to iSoftpull, End User or to any other person or entity any ownership or license right, title or interest therein or thereto and, other than as expressly set forth herein. End User shall not use the Experian Proprietary Information without the express written consent of Experian.

End User shall keep strictly confidential all Experian Proprietary Information and shall not disclose such information other than (i) to its employees who have a need to know in accordance with the purpose for which the Services were obtained and (ii) as expressly permitted by this Agreement.

EXHIBIT 1-E — Notice to Users of Consumer Reports: Obligations of Users Under the FCRA

All users of consumer reports must comply with all applicable regulations. Information about applicable regulations currently in effect can be found at the Consumer Financial Protection Bureau's website, www.consumerfinance.gov/learnmore.

The Fair Credit Reporting Act (FCRA), 15 U.S.C. 1681-1681y, requires that this notice be provided to inform users of consumer reports of their legal obligations. State law may impose additional requirements. The text of the FCRA is set forth in full at the Consumer Financial Protection Bureau's (CFPB) website at www.consumerfinance.gov/learnmore.

I. OBLIGATIONS OF ALL USERS OF CONSUMER REPORTS

A. Users Must Have a Permissible Purpose. Congress has limited the use of consumer reports to protect consumers' privacy. All users must have a permissible purpose under the FCRA to obtain a consumer report. Section 604 contains a list of the permissible purposes under the law. These are: As ordered by a court or a federal grand jury subpoena (Section 604(a)(1)); As instructed by the consumer in writing (Section 604(a)(2)); For the extension of credit as a result of an application from a consumer, or the review or collection of a consumer's account (Section 604(a)(3)(A)); For employment purposes, including hiring and promotion decisions, where the consumer has given written permission (Sections 604(a)(3)(B) and 604(b)); For the underwriting of insurance as a result of an application from a consumer (Section 604(a)(3)(C)); When there is a legitimate business need, in connection with a business transaction that is initiated by the consumer (Section 604(a)(3)(F)(i)); To review a consumer's account to determine whether the consumer continues to meet the terms of the account (Section 604(a)(3)(F)(ii)).

B. Users Must Provide Certifications. Section 604(f) prohibits any person from obtaining a consumer report from a consumer reporting agency (CRA) unless the person has certified to the CRA the permissible purpose(s) for which the report is being obtained and certifies that the report will not be used for any other purpose.

C. Users Must Notify Consumers When Adverse Actions Are Taken. If a user takes any type of adverse action as defined by the FCRA that is based at least in part on information contained in a consumer report, Section 615(a) requires the user to notify the consumer. The notification may be done in writing, orally, or by electronic means. It must include the following: The name, address, and telephone number of the CRA that provided the report; A statement that the CRA did not make the adverse decision and is not able to explain why the decision was made; A statement setting forth the consumer's right to obtain a free disclosure of the consumer's file from the CRA if the consumer makes a request within 60 days; A statement setting forth the consumer's right to dispute directly with the CRA the accuracy or completeness of any information provided by the CRA.

D. Users Have Obligations When Fraud and Active Duty Military Alerts are in Files. When a consumer has placed a fraud alert, including one relating to identity theft, or an active duty military alert with a nationwide consumer reporting agency as defined in Section 603(p) and resellers, Section 605A(h) imposes limitations on users of reports obtained from the consumer reporting agency in certain circumstances, including the establishment of a new credit plan and the issuance of additional credit cards.

E. Users Have Obligations When Notified of an Address Discrepancy. Section 605(h) requires nationwide CRAs to notify users that request reports when the address for a consumer provided by the user in requesting the report is substantially different from the addresses in the consumer's file.

F. Users Have Obligations When Disposing of Records. Section 628 requires that all users of consumer report information have in place procedures to properly dispose of records containing this information. Federal regulations have been issued that cover disposal.

VIII. LIABILITY FOR VIOLATIONS OF THE FCRA. Failure to comply with the FCRA can result in state government or federal government enforcement actions, as well as private lawsuits. Sections 616, 617, and 621. In addition, any person who knowingly and willfully obtains a consumer report under false pretenses may face criminal prosecution. Section 619.

By executing this agreement below, you confirm receipt of all notices in Exhibits 1-A through 1-E above and understand the obligations described therein.

EXHIBIT 1-F — Vermont Fair Credit Reporting Act Certification

End User acknowledges that it is being provided with credit information in accordance with the Vermont Fair Credit Reporting Statute, 9 V.S.A. § 2480a (2016), as amended ("VFCRA"), and the Federal Fair Credit Reporting Act, 15 U.S.C. 1681 et seq.

End User certifies that it will comply with applicable Vermont law. In particular, End User certifies that it will order credit information relating to Vermont residents only after receiving prior consumer consent in accordance with VFCRA § 2480e and applicable Vermont Rules. End User further certifies that the attached copies of Section 2480e of the Vermont Fair Credit Reporting Statute and the corresponding Rule have been received from iSoftpull.

Vermont Fair Credit Reporting Act § 2480e — Obtaining Consumer Credit Reports; Consent Required

(a) A person shall not obtain the credit report of a consumer unless:

1. the report is obtained in response to the order of a court having jurisdiction to issue such an order; or
2. the person has secured the written consent of the consumer, the consumer report is for one of the permissible purposes set forth in the federal Fair Credit Reporting Act, 15 U.S.C. § 1681b, and the consumer report is used for the purpose for which consent was given, subject to subsection (b) of this section.

(b) A consumer reporting agency shall not furnish a consumer report to any person who the agency has reasonable grounds for believing will use the consumer report in a manner prohibited by this chapter.

(c) A consumer reporting agency shall take reasonable steps to assure that, prior to reporting consumer credit information to subscribers, each subscriber has certified its compliance with the requirements of subsection (a) of this section. A consumer reporting agency shall not provide reports to a subscriber who fails to provide the required certifications.

Vermont Rule — Consumer Consent

Any consent required under Section 2480e of the Vermont Fair Credit Reporting Act must be in writing, must be signed by the consumer, and must clearly identify the person or entity that will obtain the report, the purpose for which the report will be used, and the date of the consent. A consumer reporting agency shall not provide a consumer report to any person unless such person certifies that the consumer's written consent has been obtained and is on file.

Compliance Officer Designation

By signing below, [Company] hereby designates the person signing below as the compliance officer responsible for credit reporting compliance matters, including those relating to Vermont residents, and certifies that such person is authorized to receive notices and communications from iSoftpull relating to compliance matters.

By executing this agreement below, you certify compliance with Vermont law and designate the undersigned as compliance officer.